Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Your Redis instance may be publicly accessible. #214

Open
fshmcallister opened this issue Jan 20, 2020 · 8 comments
Open

Your Redis instance may be publicly accessible. #214

fshmcallister opened this issue Jan 20, 2020 · 8 comments

Comments

@fshmcallister
Copy link
Contributor

We detected that a {service} instance on {devices} may be accessible remotely. Consider either blocking port {port} through the WoTT firewall management tool, or re-configure {service} to only listen on localhost. Part of #198
@fshmcallister
Copy link
Contributor Author

fshmcallister commented Jan 20, 2020
edited
Loading

TITLE
A Redis instance may be publicly accessible

TL;DR
Your Redis instance may be publicly accessible. Consider reconfiguring your Redis to listen only on the localhost, or using secured channels only such as TCP through port 6379.

FAQ
Redis (remote dictionary server) is an open-source data structure store with several uses, including as an alternative NoSQL database system. However, Redis does not have any robust security features of its own, and is intended for use by trusted clients in a trusted network. It is therefore not recommended to have a Redis instance exposed over the internet, even across a TCP channel through port 6379. To circumvent this, set your Redis instance to only listen to the localhost by binding it to the localhost. You can do this through your firewall directly, for example through WoTT's firewall tool, or the service config itself.

Through the Redis config file, /etc/redis/redis.conf, you will already see that the line binding the server to the localhost exists, and just needs to be uncommented:

bind 127.0.0.1

By default, the service listens to the localhost. This may have changed if you have since changed the Redis settings. If there are specific IPs you wish to add, you will need to add the address to the config through the same bind command. We would strong recommend enabling password protection as well in this instance by adding this in the config:

requirepass yourPasswordHere

@vpetersson
Copy link
Collaborator

No-SQL database system

NoSQL

over an internet network

?

@fshmcallister
Copy link
Contributor Author

As in accessible via internet as opposed to a private connection. Does it not make sense?

@vpetersson
Copy link
Collaborator

I would probably say "exposed over the internet" instead for greater clarity.

@fshmcallister
Copy link
Contributor Author

Sure- let me update the block now

@fshmcallister
Copy link
Contributor Author

Done

@vpetersson vpetersson mentioned this issue Jan 21, 2020
Open
14 tasks
@fshmcallister
Copy link
Contributor Author

fshmcallister commented Jan 27, 2020
edited by vpetersson
Loading

TITLE
A Redis instance may be publicly accessible

TL;DR
Your Redis instance may be publicly accessible. This could cause accidental customer data leakage. According to [Shodan](\https://www.shodan.io/\), there are over 640,000 publicly exposed Redis servers on the internet. Consider re-configuring your Redis to listen only on the localhost, or add a lock down the access to Redis using a firewall if it needs to be accessible on the network.

FAQ
Redis is an open-source data store with several uses, but most often used for caching. Unfortunately, Redis does not have any robust security features of its own, and is intended for use by trusted clients in a trusted network. It is therefore not recommended to have a Redis instance exposed over the internet.

Because many default configurations of many Redis installations binds on all public network interfaces, there has been countless examples of Redis instances being publicly available over the internet, which in turn has lead to data leaks.

If you don't need your Redis installation to be accessible over the network, we recommend that you re-configure Redis to only bind on the loopback/localhost interface to avoid this. If on the other hand you do need your Redis instance to be accessible over the network, we recommend that you create a firewall policy that only allows a select number of servers to talk to the Redis instance, while also setting a Redis password.

To reconfigure Redis to only listen on localhost, edit the Redis config file (usually `/etc/redis/redis.conf`) and change the bind option to the following:

```
bind 127.0.0.1
```

We would also recommend that you enabling password protection as well. You can do this by adding the following line to your configuration file:

```
requirepass yourPasswordHere
```

Please note that you need to restart Redis in order for the changes to apply. You can do that by running:

```
$ sudo service redis restart
```

If you need network access to Redis, you can create a firewall policy using the WoTT Dashboard. By default, Redis uses port 6379/tcp.

Code Snippet

None for now.

@a-martynovich
Copy link
Contributor

@fshmcallister subtitle?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vpetersson @a-martynovich @fshmcallister